May 15, 2017
Within many organisations, security gets a bad rep...
Even with top-tier talent manning your security team, there are a handful of wider issues that limit their ability to improve the overall security of the organisation.
Thankfully, all is not lost. Security’s poor reputation usually stems from a lack of education; and by understanding the cyclical process that interferes with secure application development, you can take major steps to improve security’s reputation within your organisation.
The Security-Developer Cycle
A big part of security’s role is running penetration and web application security tests. When these tests are run, the security team will often end up with a laundry list of potential vulnerabilities. This report is then handed over to the development team, with an apparently simple request: ‘remediate these vulnerabilities’.
Crucially though, most development teams lack any degree of security knowledge. They don’t have the training and experience necessary to understand security’s reports, let alone remediate against the problems. The security team have gone to the developers with a confusing report, and effectively criticised their project without offering any guidance.
The developers are unable to remediate against the problems, and unbeknownst to the security team, no action is taken. The next time a web app or pen test is run, the security team find the same vulnerabilities as before, and grow frustrated with the dev team's apparent lack of action. This cyclical process prevents the remediation of potentially dangerous vulnerabilities, and sows discord between the security and dev teams.
The Business Risk
As well as harming the efficacy of security processes, and creating friction between the two departments, this cyclical process can burden an organisation with unnecessary risk.
Even if the development and security teams are able to sit down and discuss security reporting, it soon becomes apparent that the dev’s project plan doesn’t allow time for effective remediation of vulnerabilities. Developers are typically under immense pressure to create functionality-rich applications to incredibly tight deadlines, and without organisation-wide security awareness, adequate remediation time won’t be built into a project plan.
As a result, the security team are forced to take the issue further up the managerial hierarchy. They have to tell the organisation that they’ve found vulnerabilities, but because of the project plan, can’t mitigate against them. The organisation then has a choice – delay the project, or bear the risks of the vulnerabilities. The organisation will almost always choose to bear the increased risks, and continue with rollout – and even though the security team have completed their job, they end up being the bearers of bad news.
Empowering Developers with Security Knowledge
In many organisations, this cyclical process is obvious, but issues with cultural security resistance, failed security programs and costly security shelfware prevent organisations from solving the problem. Thankfully, the vicious cycle can be stopped by empowering developers with security knowledge.
Organisations Need a Security Curriculum
In order to minimise the needs for remediation, it’s essential to educate developers around the best practices of secure application development. Given the intense schedules of most developers, this is often easier said than done.
Typically, computer-based training (CBT) offers the best way to improve security, without intruding into the dev team’s existing commitments. Several 2-3 hour lessons will allow developers to complete role-specific training around their current project, and improve their ability to understand and remediate the vulnerabilities identified by security.
Developers Need Access to a Repository of Security Knowledge
The best practices of secure application development are constantly evolving, and developers need access to a central repository of security knowledge.
Creating a regularly-updated database of information will allow developers to continually improve their knowledge of vulnerabilities, and improve the security of their code. Security will find fewer vulnerabilities, and those that are identified will be far easier to remediate. The friction between departments will be reduced, and a culture of pro-active security will begin to develop within the organisation – improving both the reputation of security, and its efficacy.